When it comes to protecting your virtual environment there are many things to consider. You need to have backups of your virtual machines and don’t forget about your host configurations.

How to back up your ESXi configuration

There are many reasons that you would want to back up your ESXi configuration, of which the two main ones would be before upgrading to a new versions or for DR reasons.

If you are going to be upgrading an existing ESXi host to ESXi 5 you should backup your host configuration before proceeding. With vSphere 5 upgrades there is no option to roll back like there was with vSphere 4 upgrades. This means that a failed upgrade would require you to install ESXi 4.x and restore the configuration.

To backup an ESXi host you will need the vCLI installed on a server or you can also use the vMA.

Another really nice thing about ESXi is that it’s just as easy to restore your backed up configuration as it was to grab the backup. Simple install a clean version of ESXi matching the version that the backup was taken from. Connect to the host using vCLI or your vMA appliance as issue the restore command shown below.

There is not one command to back up an ESX hosts configuration unfortunately.

To accomplish this you will need to back up the following items in a manual fashion.

Back up local VMFS files system – templates, VMs * .iso files

Back up any custom scripts

Back up your .vmx files

Back up the files in /etc/passwd, /etc/groups, /etc/shadow and /etc/gshadow directories. The /etc/shadow and /etc/gshadow files might not be present on all installations.

How to restore your ESX configuration

If you need to roll back from a failed upgrade or recover from a disaster and need to restore your host follow this short process. First you will need to install ESX 4.x the version level that you were running at the time you backed up your files.

Once you have ESX 4.x installed and running at its previous level you can now restore the files you backed up earlier. This can be done many ways but a couple of simple ways would be to use winSCP or Veeam FastSCP, both are free and easy to use.

Brian is a VCDX5-DCV and a Sr. Tech Marketing Engineer at Nutanix and owner of this website. He is active in the VMware community and helps lead the Chicago VMUG group. Specializing in VDI and Cloud project designs. Awarded VMware vExpert status 6 years for 2016 - 2011. VCP3, VCP5, VCP5-Iaas, VCP-Cloud, VCAP-DTD, VCAP5-DCD, VCAP5-DCA, VCA-DT, VCP5-DT, Cisco UCS Design

Like this:

This is something that we get on a regular basis from the security team. When doing their regular security scans for compliance and vulnerabilities I always get a long list of ESX hosts. The scans normally come back and complain about an OpenSSH x11 vulnerability or an OpenSSH Memory and Buffer Overflow.

These seem to be False positives from the tool being used to scan the hosts. We always make sure that we have installed the necessary updates related to OpenSSH as VMware releases them. But the tool always comes back with these issues. It seems to stem from the fact that the tool looks at OpenSSH in generic terms and assumes that all vendors implement it in the same way. From the documents listed below VMware indicates that since ESX 3.x VMware no longer included the x11 packages with their products. I would recommend that you make sure you are up to date on your patches and if the scans still come back dirty that you should discuss this results with the Application vendor that created the scanning tool. You might find out that this is common and they are just false positives.

Brian is a VCDX5-DCV and a Sr. Tech Marketing Engineer at Nutanix and owner of this website. He is active in the VMware community and helps lead the Chicago VMUG group. Specializing in VDI and Cloud project designs. Awarded VMware vExpert status 6 years for 2016 - 2011. VCP3, VCP5, VCP5-Iaas, VCP-Cloud, VCAP-DTD, VCAP5-DCD, VCAP5-DCA, VCA-DT, VCP5-DT, Cisco UCS Design

Like this:

Today at VMworld 2010 VMware announces the new family of vShield products. The new products to this family are vShield Endpoint, vShield App and vShield Edge. Each product has been designed for a few core functions that are helping to facilitate and secure the IT as a Service model that VMware is promoting with its new vCloud Director solution. These security related products are going to secure, make management easier and help move down the patch to a cloud infrastructure.

I will try and provide some more details about each product below gathering any details that are available as of today. In the image below are some of the concerns that VMware is address based on what Enterprises have been telling them.

vShield Endpoint – vShield Endpoint provides on-host antivirus and malware protection that reduces performance latency and eliminates the need to maintain individual security agents in each and every virtual machine, helping to simplify security administration while minimizing the risk of malware infections. Datasheet

vShield Edge – vShield Edge is a network gateway solution that protects the edges of the virtual datacenter with DCHP, network address translation (NAT), firewalling, load balancing, site-to-site VPN, port group isolation and other capabilities that help organizations maintain proper segmentation between different organizational units. Datasheet

vShield Manager – Included with all vShield products, vShield Manager provides a central point of control for managing, deploying, reporting, logging and integrating third-party security services. Working in conjunction with vCenter Server, vShield Manager also enables role-based access control and administrative delegation as part of a unified framework for managing virtualization security.

vShield Zones – VMware vShield Zones, included with vSphere, provides basic protection from network-based threats in virtual datacenters, with application firewalling and policy management based on administrator-defined zones, using basic traffic information such as the source IP address, the destination port, and so on.

Here is a quote from a VMware product release.

Enterprise Partner Extranets – vShield lets enterprises extend their networks and application resources to branch offices, home offices and business partner sites through site-to-site VPN services that offer simplified provisioning, streamline administrative tasks and improve scalability. All traffic between sites is encrypted using IPsec to maintain the confidentiality and integrity of all site-to-site communications.

Brian is a VCDX5-DCV and a Sr. Tech Marketing Engineer at Nutanix and owner of this website. He is active in the VMware community and helps lead the Chicago VMUG group. Specializing in VDI and Cloud project designs. Awarded VMware vExpert status 6 years for 2016 - 2011. VCP3, VCP5, VCP5-Iaas, VCP-Cloud, VCAP-DTD, VCAP5-DCD, VCAP5-DCA, VCA-DT, VCP5-DT, Cisco UCS Design

Share this:

Like this:

I will start this post off with the standard snapshot warning. Just a reminder that Snapshots are not backups, they are only a change log of the original virtual disk. You should not count on them as a backup. There are a number of different reasons that you might use a snapshot for. One of my most used reasons would be for a software upgrade I would use the snapshot to allow for an easy rollback to the machine state prior to the upgrade. If you have some other reasons leave a comment to share with others.

The maximum supported amount in a chain is 32. However, VMware recommends that you use only 2-3 snapshots in a chain.

Use no single snapshot for more than 24-72 hours.

This prevents snapshots from growing so large as to cause issues when deleting/committing them to the original virtual machine disks. Take the snapshot, make the changes to the virtual machine, and delete/commit the snapshot as soon as you have verified the proper working state of the virtual machine.

Be especially diligent with snapshot use on high-transaction virtual machines such as email and database servers. These snapshots can very quickly grow in size, filling datastore space. Commit snapshots on these virtual machines as soon as you have verified the proper working state of the process you are testing.|

If using a third party product that takes advantage of snapshots (such as virtual machine backup software), regularly monitor systems configured for backups to ensure that no snapshots remain active for extensive periods of time.

Snapshots should only be present for the duration of the backup process.

Snapshots taken by third party software (called via API) may not show up in the vCenter Snapshot Manager. Routinely check for snapshots via the command-line.

An excessive number of snapshots in a chain or snapshots large in size may cause decreased virtual machine and host performance.

You can find some more details from VMware on troubleshooting snapshots here.

Brian is a VCDX5-DCV and a Sr. Tech Marketing Engineer at Nutanix and owner of this website. He is active in the VMware community and helps lead the Chicago VMUG group. Specializing in VDI and Cloud project designs. Awarded VMware vExpert status 6 years for 2016 - 2011. VCP3, VCP5, VCP5-Iaas, VCP-Cloud, VCAP-DTD, VCAP5-DCD, VCAP5-DCA, VCA-DT, VCP5-DT, Cisco UCS Design

Share this:

Like this:

Sure this nothing earth shattering but it’s just something simple that can make your life easier. With a web browser and some links that I will provide below you can view some of the vSphere configuration files and messages from logs. This is probably the fastest way to get a view into your host with out having to SSH into the server or use another method. This method works for both vSphere 4.0 and 4.1 hosts and it works on both ESX and ESXi hosts.

You can view the VMware vSphere Configuration files from a browser using a link formatted like the following. https://hostname/host From that link you will need to authenticate to your host and then will be able to view a list of files from the host. In the list of files presented with be configuration files and some logs.

There is another page viewable with a web browser that will show you log messages from your ESX or ESXi host. Use the following syntax for the link. https://hostname/host/messages

Brian is a VCDX5-DCV and a Sr. Tech Marketing Engineer at Nutanix and owner of this website. He is active in the VMware community and helps lead the Chicago VMUG group. Specializing in VDI and Cloud project designs. Awarded VMware vExpert status 6 years for 2016 - 2011. VCP3, VCP5, VCP5-Iaas, VCP-Cloud, VCAP-DTD, VCAP5-DCD, VCAP5-DCA, VCA-DT, VCP5-DT, Cisco UCS Design